SAML Response not matching "saml-schema-protocol-2.0.xsd" - Assertion rejected

Question

SAML Response not matching "saml-schema-protocol-2.0.xsd" - Assertion rejected

yesvivek opened this issue 7 years ago · 5 comments

When signing the entire SAML Response, one of the Service Provider has rejected the Assertion stating the incorrect ordering of Signature element and not compliant with "saml-schema-protocol-2.0.xsd".
According to them and xsd, signature should be always after the Issuer element in the SAML Response or Assertion. In samlp's SAML Response, the Signature element is present in the Response just after the Assertion element - sample response for reference.

Refer the example here and here (Check "SAML Response with Signed Message")

Is it possible to achieve the specified ordering? I have checked samlresponse.ejs but it doesnt seem to be enough to get there. Any help here is appreciated..

Answer 1 · 2017-03-23T13:13:53.000Z

@yesvivek we should replace this line https://github.com/auth0/node-samlp/blob/master/lib/samlp.js#L52 with something like this:

sig.computeSignature(cannonicalized, { prefix: options.signatureNamespacePrefix, location: { action: 'after', reference: "//*[local-name(.)='Issuer']" }});

I'll send an update to the library with some tests later this week.

Answer 2 · 2017-03-23T16:18:36.000Z

@mcastany That change is all needed, works good now. Thanks a lot!

Answer 3 · 2017-07-14T20:30:50.000Z

Not sure whether this is fixed already or not. @mcastany could you please confirm.

Answer 4 · 2017-07-18T21:20:43.000Z

@yesvivek no, sorry. I see that there are two PRs open for this. I have requested some changes + tests. I'll let you know when this is fixed

Answer 5 · 2017-07-31T11:30:42.000Z

v3.3.2 published